Harvard Business Review just ran an interesting article on the information security aspects of Internet of Things (IoT). Based on the storyline, the smart city initiatives are doomed to fail unless the security of the IoT devices and the systems will be improved. While security of the digital society is obviously a key concern, I am not entirely convinced that relying on the security of individual devices and systems is the best course of action.

The biggest problem with IoT security is that most devices are going to be relatively simple and inexpensive connected things. The bandwidth consumption of these devices should be kept to the minimum to save bandwidth. Yet at the same time, security is supposed to be a continuous process. This involves a party that is responsible for keeping an eye on the various security vulnerabilities that emerge from time to time, and another one to make sure that suitable patches are being prepared and applied on timely basis.

While with smartphones, laptops, and servers, this work has commonly fallen under the responsibility of the device manufacturer, it is largely because they have been able to generate considerable service revenue from this work. Considering the much lower cost of IoT devices, it is likely that only a small percentage of IoT device users will be willing to pay a premium for such a service. Due to this dynamic, even the devices that leave the factory floor in pristine condition, face the risk of becoming compromised over time.

Therefore, it seems to me that looking at IoT device manufacturers as the likely saviours is wishful thinking at best. The business logic just is not there.

So where to look for answers?

When people think about Internet security, they often forget how the security is being taken care off in the physical world. Rather than trying to lock down and protect every single belonging in one's household, we tend to rely on locked doors and alarm systems that protect the perimeters of our homes. The things we keep in our houses tend to be reasonably secure, so long as the doors are locked properly, and the windows are not left open.

In much the same way, the IoT devices should be placed within the boundaries of protected network environments. While every IoT device will never be secure, the associated risks are well contained so long as the perimeter of each machine network is secure. To provide an analogy, my keys are not secure if I leave them on the table at Starbucks — but if I place them on a desk at the safety of my home, the situation changes completely.

Over the last couple of years, the network industry has developed technologies such as Software-Defined Wide Area Networking (SD-WAN) and Network Functions Virtualization (NFV) that allow new networks and security services to be deployed automatically. Although these technologies are not widely used for this purpose yet, they hold the key for securing smart cities as well as any other IoT use case the world holds in store for us.

That is why I believe that the future of IoT security lies in programmable networks and the service providers that operate them for us.

By Juha Holkkola, Co-Founder and Chief Technologist at FusionLayer Inc.

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Have you seen the recent Geoff Huston presentation on IoT security?Mike Burns – May 16, 2017 10:55 AM PST

https://ripe74.ripe.net/archives/video/48/

Can the author comment more on how exactly SD-WAN and NFV will provide security for IoT devices by surrounding them inside a virtual perimeter?

Thanks for the link - I hadn't seen Geoff's speech before but really liked it.

Assuming that the device manufacturers are unable to produce secure things that the public would be willing to buy, I think we have to change something else in the equation. Given the advances that have been made on the networking side, that's the direction from which I would start looking for answers.

As far as SD-WAN goes, it is mostly used for enterprise connectivity between data centres and branches. But as the technology matures, I don't think it would be outside the realm of possibility to think that CSPs would start offering cloud-based SD-WAN services that would offer dedicated virtual overlay networks at price points that made them available to pretty much everyone.

Once we move on to 5G, one possibility would be to use smart phones as vCPEs that are part of the SD-WAN. With this kind of setup, networks wouldn't necessarily be tied up to physical devices at all. Rather, one could set up a new private network segment pretty much anywhere and use that to provide a WiFi, Bluetooth or NFC connectivity for different things.

Now, assuming that our things connected to the public Internet via a private network established between the vCPE and the cloud DC, there are a lot of different services that could be used to enhance the security even further. For example various kinds of scrubbing services, unified threat management and application sensitive routing come to mind. The NFV part comes into the picture when these services are deployed (at the edge) as virtual network functions.

While I do appreciate the fact that all the technologies I've described above are still in their infancy, they are are already there and could be used today to create very secure network environments. For now, this would be a cost-prohibitive approach to most use cases, but I believe that economies of scale could drive down the prices to a very reasonable level over time. Much like the microprocessors that Geoff talked about.